#!/bin/bash # If you used the startfw which I wrote, this script will stop it, i.e., # it flushes all the chains in iptables and unloads the ip* modules from kernel # I (Jan Labanowski, jkl@ccl.net) took it from (I believe) Dirk Bartley # presentation from http://www.kalamazoolinux.org/presentations/ # Namely, the actual file was:: # http://www.kalamazoolinux.org/presentations/20010417/flush # # When you want to stop the firewall just type # ./flushfw.sh # I assume that that on a production machine, this script will reside in # /usr/sbin/ and will be only read/write/executable by root (700) # I also use this script in the /etc/rc.d/init.d/iptables-jkl script # which starts iptables on boot. # IPTABLES=/sbin/iptables IP_MODULES=`/sbin/lsmod | /bin/awk '{print $1}' | /bin/grep '^ip'` if [ "${IP_MODULES}x" == "x" ]; then # if no ip modules echo No iptables modules found in kernel exit 0 fi # Flush everything and remove iptables modules # Set all of the Policies on the filter table to accept $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT # # Flush all of the existing chains on the filter table $IPTABLES -F # Remove all of the user defined chains on the filter table $IPTABLES -X # # # Set all of the Policies on the nat table to accept $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT # # Flush all of the existing chains on the nat table $IPTABLES -t nat -F # Remove all of the user defined chains on the nat table $IPTABLES -t nat -X # # # Set all of the Policies on the mangle table to accept $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT # Flush all of the existing chains on the mangle table $IPTABLES -t mangle -F # Remove all of the user defined chains on the mangle table $IPTABLES -t mangle -X # # Not required: # Stop forwarding and # Remove all the iptables modules # echo 0 > /proc/sys/net/ipv4/ip_forward IP_MODULES=`/sbin/lsmod | /bin/awk '{print $1}' | /bin/grep '^ip'` while [ ! "${IP_MODULES}x" = "x" ]; do # I do while in case if there are echo Removing modules:${IP_MODULES} # some dependencies, etc. /sbin/rmmod ${IP_MODULES} /bin/sleep 2 IP_MODULES=`/sbin/lsmod | /bin/awk '{print $1}' | /bin/grep '^ip'` done